Results 1 to 6 of 6

Hybrid View

  1. #1
    Junior Member
    Join Date
    Dec 2004

    MAC Address and ARP Spoofing v1.3 by stevecronin

    MAC Address and ARP Spoofing v1.3
    By Steve Cronin


    What's new in v1.3?
    -Revised Windows MAC Address Spoofing Section
    -Revised Format (Layout/Order)
    -Added CAM Table Info
    -Added TCPDump Info

    MAC - Media Access Control (AKA BIA - Burned In Address)

    Referenced to: OSI Model Layer Two - The Data Link Layer

    The data link later encodes and decodes transmitting packets on a network into bits. The second layer has all the protocol information that is included in the first layer. The data link layer has two sub layers, MAC (Media Access Control) and LLC (Logical Link Layer.) The MAC sublayer controls computer data transmission authentication, and the LLC sublayer controls error checking.

    MAC addresses identify each computer (node) on a network. They differ from IP addresses because IP addresses can be user assigned and maintained, while MAC addresses cannot. MAC addresses are stored (actually burned) in network cards, this is why they are also referred to as a hardware address. You cannot change your MAC address, unless you exploit your card and solder on new data. MAC addresses are presented as 48 bit hex numbers, which are assigned by the manufacturer of the card. (Total 12 digits.) The first 6 digits represent the manufacturer ID, while the last 6 digits are a serial number assigned by the manufacturer.


    MAC address - 0D602F3A07BC
    First 6 digits - 0D602F (Manufacturer ID)
    Last 6 digits - 3A07BC (Manufacturer Serial Number)

    While you cannot physically change your MAC address through your operating system, you can "spoof" the address. (Tricking the computer into sending/ storing a fake address.) There are free downloadable programs that do this for you, such as "MAC Makeup" (that come with cool features), however you can also do this through the Linux shell/ Windows registry.

    To spoof your MAC address in Linux:

    Access your shell and type:

    "ifconfig eth0 down hw ether 00:00:00:00:00:00"

    "ifconfig eth0 up"

    (00:00:00:00:00:00" being your new MAC address)

    To spoof your MAC address in Windows:

    Method 1:

    Some network cards have a "spoof MAC configuration" built in, if yours happens to have this, then use this method.

    1. Go to the Control Panel and double click on Network and Dial-up Connections.

    2. Right click on your card and click on "properties"

    3. Click on the configure button under the general tab

    4. Click on the "Advanced" tab

    5. Under the Property section, click on "Network Address" (or "Locally
    Administered Address")

    6. Under "Value", (on the right side) type in the New MAC address you want to assign to your card.

    7. Run an "ipconfig /all" or "net config rdr" to confirm the changes.

    8. Reboot

    Method 2:

    Windows 2000/XP

    1. Start the registry editor (Run - regedt32)

    2. Go to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1
    -08002BE10318}". Double click on it to expand the tree. The subkeys are 4-digit numbers,
    which represent particular network adapters. You should see it starts with 0000, then 0001,
    0002, 0003 and so on.

    3. Find the interface you want by searching for the proper "DriverDesc" key.

    4. Edit, or add, the string key "NetworkAddress" (has the data type "REG_SZ") to contain
    the new MAC address.

    5. Disable then re-enable the network interface that you changed (or reboot the system).

    For WIN9x

    Use the Windows 2000/XP method, except go to the registry key: "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\Net"
    When done, you must restart.

    About ARP (Address Resolution Protocol)

    Referenced to: OSI Model Layer Three - The Network Layer

    The network layer is in charge of IP addressing and routing. Tables are built to identify addresses on switches and computers for any network related devices.

    The ARP matches and stores MAC and IP addresses for each node for Ethernet communication. When any packet is sent through a gateway, such as a router, the gateway uses ARP to identify the initial send node's MAC/ IP address and stores it in the packet header sending to the destination node. The IP/ MAC address matches for each node are stored (cached) in an ARP table. During MAC address packet transmission, the matches are stored in both client and host nodes.

    Potentially, if a mischievous wardriver were to perform malicious actions on a network, their MAC address would be stored in the ARP table (because it stores in both client and host machines) and the network admin could find the manufacturer of the wireless card you used to hack their network. The manufacturer could then match their serial ID of the MAC address and match it to a company, and then customer, it was sold to. In other words you would get owned! (This is why it's best to buy a NIC off ebay and use that for hacking.)

    If a hacker obtained control of an ARP table (physically or remotely), he could potentially change the IP to MAC address maps and use them to his advantage, such as rerouting network traffic to a computer of choice or taking down the entire network!

    Note: Pinging a computer counts as sending/ receiving packets, thus updating the ARP table for the client/ host address.
    Viewing BIAs in the ARP Table

    Linux: type "arp" at the shell
    Windows: type "arp -a" at the command prompt

    Deleting ARP Table entries (Covering your tracks!)

    Linux: type "arp -d <computer hostname>" at the shell
    Windows: type "arp -d *" at the command prompt (removes all entries)

    NOTE: Gateways also have the ability to store the MAC Address/ IP Address linkup. If you did not spoof your MAC Address, even if you clear the ARP table entries, there are still records of your MAC Address. Gateways, such as a switch, store these IP/ MAC linkups in what is called a CAM (Content Addressable Memory) table. These CAM tables look at each device that is connected to the switch. A switch is different than a hub because each port creates a collision domain, like it's own network. The same "learning process" makes CAM tables as ARP tables. Normally, whenever a computer is rebooted, it's ARP table is cleared. Whenever a switch is rebooted, it's CAM table is cleared.

    Adding Static ARP entries

    Linux: type "arp -s <IP> <MAC>" at the shell
    Windows: type "arp -s <IP> <MAC>" at the command prompt

    Example: "arp -s 00-00-00-00-00-00"

    ARP Attacks using Linux

    Download the program "arpspoof"

    The goal of an ARP attack is to capture, monitor, and/or change data flow on a network.

    To start off, you'll need two NICs in your machine. On one card you will connect to the target machine, and on the other card you will connect to the gateway. IP fowarding needs to be enabled on your computer so traffic flows through your computer. To do this, type the following into the Linux shell:

    "echo 1 > /proc/sys/net/ipv4/ip_forward"

    then type

    "cat /proc/sys/net/ipv4/ip_forward"

    You should get a reply of "1".

    When you connect to the gateway on a network, for purposes such as connecting to the internet, your computer sends an ARP request to the target gateway requesting a MAC/ IP address pair up. The switch sees your request and broadcasts it to every single computer already on the network. The gateway receives your ARP request (from the switch) and replies with a MAC address. The gateway updates the MAC/ IP pair up within the ARP table for your computer within it's internal ARP table. The switch then receives the gateway's reply to your computer, and matches up your computer with a port number on the switch. Your computer receives the gateway's reply (containing the new ARP information) and updates its ARP table. Your computer can now send information to the gateway with its verified MAC address.

    ARP spoofing involves tricking the gateway and target computer on the network to reroute all data to your machine, this is done by running two sessions of "arpspoof" on your computer. With the first session you're going to trick the target computer into thinking that your computer has the MAC address of the gateway. With the second session you're going to trick the actual gateway into thinking that your computer is the target computer. This way, all data going in-between the gateway and target computer will be rerouted to pass through your machine.

    Note: If you did not enable IP forwarding, the target computer will lose connectivity.

    The arpspoof sessions might look something like this:

    "arpspoof -t <victim gateway>" (Changes your MAC Address to match that of the gateway, thus updating the ARP table fooling the victim computer will think that you are the gateway.)

    In another session (different NIC)

    "arpspoof -t <gateway victim>" (Changes your MAC Address to match that of the victim computer, thus updating the ARP table fooling the gateway into thinking that you are the victim computer.)

    Now you are able to see all the traffic going on between that computer and the gateway on the network. There are many ways to do this, (ex. Using 3rd party programs) but the simplest would be to do a tcpdump. Performing a tcpdump will pring out all currently passing data on your screen. There many different switches that can be used to define various parameters of the program. However a basic tcpdump session would look like this:

    "tcpdump <victim computer>"

    Preventing ARP Attacks

    1. Download "arpwatch" (Monitors ARP/ IP address matching and lets you know when changes are made)
    2. Encrypt all data transmission on your network. (Using methods such as WEP or WPA)

    That is all! Hope you enjoyed!

    Last edited by stevecronin; December 24th, 2007 at 08:49 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.